UNPKG

app-store-server-api

Version:

A client for the App Store Server API

github.com/agisboye/app-store-server-api

agisboye/app-store-server-api

89 lines (88 loc) 4.71 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; import { X509Certificate } from "crypto"; import * as jose from "jose"; import { APPLE_ROOT_CA_G3_FINGERPRINT } from "./AppleRootCertificate"; import { CertificateValidationError } from "./Errors"; export function decodeTransactions(signedTransactions, rootCertFingerprint) { return __awaiter(this, void 0, void 0, function* () { return Promise.all(signedTransactions.map(transaction => decodeJWS(transaction, rootCertFingerprint))); }); } export function decodeTransaction(transaction, rootCertFingerprint) { return __awaiter(this, void 0, void 0, function* () { return decodeJWS(transaction, rootCertFingerprint); }); } export function decodeRenewalInfo(info, rootCertFingerprint) { return __awaiter(this, void 0, void 0, function* () { return decodeJWS(info, rootCertFingerprint); }); } export function decodeNotificationPayload(payload, rootCertFingerprint) { return __awaiter(this, void 0, void 0, function* () { return decodeJWS(payload, rootCertFingerprint); }); } /** * Decodes and verifies an object signed by the App Store according to JWS. * See: https://developer.apple.com/documentation/appstoreserverapi/jwstransaction * @param token JWS token * @param rootCertFingerprint Root certificate to validate against. Defaults to Apple's G3 CA but can be overriden for testing purposes. */ function decodeJWS(token, rootCertFingerprint = APPLE_ROOT_CA_G3_FINGERPRINT) { return __awaiter(this, void 0, void 0, function* () { // Extracts the key used to sign the JWS from the header of the token const getKey = (protectedHeader, _token) => __awaiter(this, void 0, void 0, function* () { // RC 7515 stipulates that the key used to sign the JWS must be the first in the chain. // https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6 var _a, _b; // jose will not import the certificate unless it is in a proper PKCS8 format. const certs = (_b = (_a = protectedHeader.x5c) === null || _a === void 0 ? void 0 : _a.map(c => `-----BEGIN CERTIFICATE-----\n${c}\n-----END CERTIFICATE-----`)) !== null && _b !== void 0 ? _b : []; validateCertificates(certs, rootCertFingerprint); return jose.importX509(certs[0], "ES256"); }); const { payload } = yield jose.compactVerify(token, getKey); const decoded = new TextDecoder().decode(payload); const json = JSON.parse(decoded); return json; }); } /** * Validates a certificate chain provided in the x5c field of a decoded header of a JWS. * The certificates must be valid and have been signed by the provided * @param certificates A chain of certificates * @param rootCertFingerprint Expected SHA256 signature of the root certificate * @throws {CertificateValidationError} if any of the validation checks fail */ function validateCertificates(certificates, rootCertFingerprint) { if (certificates.length === 0) throw new CertificateValidationError([]); const x509certs = certificates.map(c => new X509Certificate(c)); // Check dates const now = new Date(); const datesValid = x509certs.every(c => new Date(c.validFrom) < now && now < new Date(c.validTo)); if (!datesValid) throw new CertificateValidationError(certificates); // Check that each certificate, except for the last, is issued by the subsequent one. if (certificates.length >= 2) { for (let i = 0; i < x509certs.length - 1; i++) { const subject = x509certs[i]; const issuer = x509certs[i + 1]; if (subject.checkIssued(issuer) === false || subject.verify(issuer.publicKey) === false) { throw new CertificateValidationError(certificates); } } } // Ensure that the last certificate in the chain is the expected root CA. if (x509certs[x509certs.length - 1].fingerprint256 !== rootCertFingerprint) { throw new CertificateValidationError(certificates); } }